If you value your privacy, it would be prudent to assume any unencrypted communication of yours is compromised.
That includes unencrypted email and any unencrypted data stored on a server not under your control.
Even your encrypted communication might be compromised at some point in the future, given the odds that it has probably been logged by someone as it travelled from hop to hop through the Internet.
Once encrypted data leaves your control, anyone intercepting and logging it can attempt to crack that data at their leisure, virtually indefinitely.
Laws may stop some law-abiding entities from trying. But I wouldn't count on it.
Treat every gun like it's loaded, check both ways before crossing the street, and assume that all of your unencrypted data is already compromised. Sounds like good advice to me.
Dropbox and Gmail are already encrypted - the problem is who else can get at the keys. And which other credentials of yours can be compromised starting from there.
Encryption that is out of your control is not encryption in any meaningful sense. You must be the only one who has the key, else the whole process is compromised.
This is a pet peeve of mine, let me know if I'm being a pedant:
Encryption that is out of your control is encryption in a specific, meaningful sense. I believe to effectively use encryption, you have to understand the trade-offs involved and limitations of the technology.
So, Google's encryption is terrific in terms of protecting you from war-drivers. But it won't protect you from the focused attention of the FBI. That doesn't make it good or bad, it's a tool with specific uses and limitations.
I think that lesson needs to be absorbed with all forms of encryption. It's a particularly dangerous area to pop-sci oversimplify.
There are quite a few options available from the stand-alone, like SpiderOak, to things that sit on top of Dropbox, such as Boxcryptor.
What I haven't seen is a comprehensive security review of these alternatives. There could be bugs, flaws, or they could outright not be doing what they claim to do.
Even if they can't read, traffic analysis is perhaps more automated, widespread and computationally cheap than communications content interpretation based surveillance that people worry about.
Historically, intelligence monitoring of communications providers was done extra-legally (by employees at the communications providers who either worked directly for or were compensated or politically-motivated agents of intelligence agencies). When it doesn't need to be used in court, there are a lot more options. Stuff as simple as an employee providing copies of the day's tapes.
Later, intelligence agencies got smart (particularly the Israelis) and ran cut-rate service providers for support services (VoIP termination, billing reconciliation, etc.), selling to existing consumer-facing providers, primarily for information.
Just because FBI is talking about this for law enforcement purposes (implying they don't have it now) doesn't mean they don't necessarily have various types of existing access for their dual role as a counterintelligence agency, or that other organizations (US and foreign) don't have access.
ECHELON shows us that the US (and the 4 other countries involved) are happy to sidestep the law and spy on their citizens.
ECHELON did it by having 5 nations involved. If the US wanted information on a US citizen they'd pass that name onto the 4 other countries who would do the spying for them.
ECHELON was also used for industrial espionage, providing lots of information to US aerospace.
As far as I know, data obtained using ECHELON or Predator or whatever they are are calling it this month, would not be admissible in court. The spying approach might work for the NSA, but the FBI needs data they can use in a court case.
Data that you can't use in court can still be very valuable. For example, if they can illegally determine whom to follow or where to look, then they can focus on collecting enough legally obtained information to paint a picture that gets them a warrant.
This would probably be considered fruit of the poisonous tree so would also be inadmissible. Whether the defence could show that to be the case though is another matter.
Correct me if I'm wrong, but the "No Fly List" doesn't come from a court, does it? That's why it's important that any kind of restriction or punishment be reviewed by and sentenced by a judge after due process. The ISP six-strikes policy comes to mind.
Am i the only person who assumes that everything we send/receive over the internet is already watched/surveyed/sniffed/logged/at least something by at least one branch of the government?
For the record, I dont mean that in a 'government is bad' tone. That is a different discussion. I mean that in an objective 'you'd think the people who run the country and have access to more resources then we ever will would just find a way to do it in the first place' kind of way.
They can send machines to mars, have laser guided devices fly to the other side of the world and hit a target, (insert more technically difficult feats here)... but they cant get access to all our data on the wires and networks they govern in their own country? i really doubt that.
If you look at history and the kind of surveillance powers governments had compared to the general population, it isn't unreasonable to assume that they can "monitor" everything. In fact you can find several YouTube videos of people who claim they created just such a system after 9/11 for the NSA.
The question is not if the NSA are sweeping every piece of electronic communications, the question is: "how much are they storing?"
If they're just building communications trees then that is a lot less invasive than even automated e-mail scanning. However it is very likely they're looking at content too, because historically (e.g. cold war) they always did keyword/phase monitoring.
If I had to guess, I would guess they're building large communication trees and giving everyone in them a "score" (think: credit score). This score raises based on things like the language used, perceived threat, and similar.
Then when someone's score is high enough or they talk to the "wrong people" you have human analysts who go over their profile with a fine tooth comb...
None of this is impossible with our current technology. In fact it isn't even technically that difficult - just expensive.
Now if you want to get really conspiratorial then let's talk about the public SSL certificate oligopoly. The five or six companies generating the majority of the world's SSL keys are likely handing them straight over to the NSA and in exchange the NSA keeps those companies in power/control of that market.
> Now if you want to get really conspiratorial then let's talk about the public SSL certificate oligopoly. The five or six companies generating the majority of the world's SSL keys are likely handing them straight over to the NSA and in exchange the NSA keeps those companies in power/control of that market.
That's really a very scary thought and I wouldn't be at all surprised if it were true. At least the first part.
There were some talks about this at defcon and black hat. Think a century worth of data for every citizen. The other thing which I haven't been able to fully verify or debunk is a change in the semantics of NSA spying, basically interception isn't considered spying until analysis.
It creates a lot of grey space. First, can the data be used to train up various search agents? After you die can they then analyze your data? Among other things.. and just the general safety of the data.
As for ssl, they shouldn't have yor keys, they just sign them and vouch. If NSA compromises the ca authorities they could man in the middle ssl but not feat your keys.
Normally the site/user generates SSL keypairs locally. The "public SSL certificate oligopoly" just signs them. So, the NSA could get arbitrary SSL certs issued from compromised CAs for MITM, including replacing them on servers, but still couldn't passively intercept/decrypt.
(Although there's ANOTHER 3 company oligarchy in SSL -- probably Apple and Google and Microsoft actually do generate on their hardware or software the majority of SSL keypairs used. If you compromised there, you could get access to everything, either at generation time, or later through a backdoor. This is unlikely as a pervasive thing since it would be eventually detected, but highly plausible for targeted attacks. If nothing else, government 0-day focused on those platforms to get access to keys would be enough, and wouldn't require cooperation of the vendors.)
Im with you, almost to the point where stories like this are not even a worth while issue. I suppose the story here is that the FBI are being public about it.
The net is exact opposite of private, and that's that. And really it always has been. What is actually weird is that people ever thought otherwise. Bits can be made private, but even then its clear to an observer that something private is going on, and then they do everything possible to break it open. Its like a big old, hey, investigate me flag.
"I mean that in an objective 'you'd think the people who run the country and have access to more resources then we ever will would just find a way to do it in the first place' kind of way."
To widen the scope a bit, I find it 'funny' that so many people seem to negate the plausible idea that people with tons of money and tons of power don't use those tools for doing bad things. I'd guess that most people, as long as they can keep work/play, earn/spend cycles going, don't truly care what else is happening.
I think the same thing is true and I have a very strong suspicion that the reason people are not more outraged is because they've been conditioned by film and television to believe that the government has those powers and uses them routinely.
I don't know whether to point the finger at writers of fiction for our lowered expectations or not, but I'm sure it contributes.
> they've been conditioned by film and television to believe that the government has those powers and uses them routinely.
My unscientific observation (I don't watch these but my SO used to) is that major (USA) network "crime drama" TV shows (fictional) such as NCIS* depict, in every episode, a fully omniscient surveillance state in action [edit: and as a perfectly normal state of affairs]. My suspicion is that the underlying purpose of same is to condition the viewing citizenry of the fact that such exists and is a normal state of affairs, so there will be no problem with the preconditioned citizenry when such becomes real (if it hasn't already).
Summary: The FBI admits they aren't capable of performing MITM SSL attacks, and that Google is currently providing them with private data. Because of this, they want some sort of real-time inspection powers that do not depend on Google's cooperation.
Secret and probably illegal monitoring techniques cannot be used in court, because defendants have a right to know how evidence was obtained so they can challenge it, and it then wouldn't stay a secret.
Just because they don't currently have any methods they can base a court case on and put on public record doesn't mean they don't have other interception methodologies (whether through cryptographic weaknesses, CA attacks, compromising servers at Google / DropBox, cooperation from / insider double agents at Google / Dropbox / CAs, backdoors installed on clients, compromising user or employee login credentials and so on).
<hat type="tinfoil"> … or they've so thoroughly subverted the SSL certificate "industry" and the major internet backbones that they figure even people using SSL cert pinning aren't going to notice they're already MITMing every single piece of web traffic with self-issued browser-trusted certs. So it's a good PR time to pretend they need new powers.</hat>
Why would they bother MITM? They can just send a national security letter demanding the private key of the CA and a gag order forbidding them from announcing the compromise.
Fortunately that attack is only possible if you're a despotic nation-state who controls your entire countries internet connection - or perhaps a three letter agency who'd only have to lean on half a dozen or so major internet backbone company CEOs - so you can MITM pretty much _all_ the traffic...
I might be exaggerating a little, but all this does is making the move to "cloud-systems/apps" slow down. People or companies are already afraid of the cloud concerning owning their data, spying, etc... Articles like this are bad advertising (but also good to point out the privacy issues, don't get me wrong here). Maybe everyone should start running their "OwnCloud" (pun and reference intended) as well as their own email system? So in other words, let's abandon the cloud all together?
So in other words, let's abandon the cloud all together?
Yes, let's. For non-critical public services like blogs and videos, cloud providers like AWS and VPS hosts are great. But for things that matter significantly, like corporate e-mail, let's abandon the cloud and regain some of the decentralization that the earlier Internet protocols like SMTP exemplify.
Yes. Let's abandon the cloud all together - as currently engineered, anyway, where it's basically just a private datacenter. If we can find some way to build a distributed, decentralized, encryption-security-based mesh-network system, that might actually deserve to be called "the cloud".
> I might be exaggerating a little, but all this does is making the move to "cloud-systems/apps" slow down.
Every service already says they'll cooperate with law enforcement. Even if it was in-house, you'd have to obey a court order to turn records over. This is more about real-time access.
tl;dr Google and other companies already have the capability to spy on your real-time net activity, but they're (rightly so) currently squeamish about just throwing open the doors and letting the FBI poke around with whomever it pleases. (Which is pretty much the way the cellular carriers handle it) FBI wants more legislation to "fix" this problem. Seems like people in some cases are communicating with each other and the FBI can't listen in, and this situation is intolerable to them.
ADD: What we're probably going to need is a new way for users to universally encrypt data deep in the OSI layer instead of continuing to tack it on top of the stack with downloaded apps. Need to think through that some more.
I thought the DIY cellphone was neat for just this reason. I'd like my next phone to be a hideous contraption made by adding a cellular radio to a Raspberry Pi.
Not sure I made any progress, but that's the fun part about being a hacker and doing this from your armchair (and Pi/packet radio board) -- anything you can imagine you can begin to realize.
I honestly believe all of this surveillance news is going to result in many more technological solutions, although probably no long-term "wins"
This article is absolute trash. The 4th amendment doesn't apply to your data hosted on Google's servers, and ECPA and CALEA are essentially meaningless here. The truth is that Facebook and Google can give away (or even sell) your data to the government, and they have your consent to do so.
Reading the terms of service and privacy policy of each site you visit daily is a good exercise. Nearly all will contain some ambiguous catch-all provision that they can use your data to "improve [their] services." Then, if they're sued, the question is whether they have the resources to hire a law firm that can convince a court that selling data to the FBI/CIA/etc. improves their services. They do.
> The truth is that Facebook and Google can give away (or even sell) your data to the government, and they have your consent to do so.
Can, but apparently aren't, if the FBI is making a fuss about not liking how things work at the moment. If Google were giving them everyone's Gmail, one assumes they'd just stay quiet about it.
That's nice. Meanwhile, real criminals use Hushmail and Tormail. This is a movement to spy wholesale, nothing more.
If any precedent or piece of legislation disproportionately and negatively affects a certain demographic of a population (let's say those with the means to form their own opinions), while they argue "well it's for everyone's safety", the reality is that it's unjust no matter how you try to spin it.
OH! I didn't know about that. Seemed like everyone who wanted to send PGP messages was using, but I guess I was wrong.
I don't use Tormail cause it's painfully slow at times (at least for me) and since I figured they're probably not interested in my plaintext gmail anyway. Stories like this may change my mind.
It's not that (mostly) anything I send is PGP worthy; it's just the principle of it.
Can someone tell me if this is true for Dropbox? I pay for Dropbox and also many family and friends pay for Dropbox. I know several businesses that use Dropbox as a file server. Also I am in Australia.
If Dropbox starts to let a foreign government (In this case the USA) to watch our files, I must cancel all accounts and will advise all my friends and family to shut down all Dropbox accounts immediately.
Can someone comment as to the truth of this article? If true that means we can never trust a US company again. Please someone tell me this is scaremongering and FUD and has no substance.
Is there a one-click all in one open source solution I can use to get rid of Gmail? And by that I mean email, calendar etc.
Something I can perhaps just throw up on an S3 instance and pay a few bucks for it every month?
Even if we are just talking about e-Mail frontends: Horde is one of the more popular ones and is just awful UX wise. I don't know of any mature free solution which at least tries to match GMail in this regard.
Even US citizens traveling outside the country, and especially residing outside the country, are on thin fucking ice. No, the US government does not consider itself beholden to any laws when operating on foreign soil. It also doesn't really define any criteria that when met allow it to operate on foreign soil in the first place. As such, you are, in essence, right now a subject of a global American Empire under which you have no rights - not even a right to life or property.
Regardless of how US government departments and agencies may currently behave with respect to foreign soil, the fact is that the Constitution does apply to foreign soil and doesn't magically disappear.
This was made clear in a 1957 Supreme Court ruling, Reid v. Covert:
"At the beginning, we reject the idea that, when the United States acts against citizens abroad, it can do so free of the Bill of Rights. The United States is entirely a creature of the Constitution. Its power and authority have no other source. It can only act in accordance with all the limitations imposed by the Constitution. When the Government reaches out to punish a citizen who is abroad, the shield which the Bill of Rights and other parts of the Constitution provide to protect his life and liberty should not be stripped away just because he happens to be in another land."
"This Court and other federal courts have held or asserted that various constitutional limitations apply to the Government when it acts outside the continental United States. While it has been suggested that only those constitutional rights which are 'fundamental' protect Americans abroad, we can find no warrant, in logic or otherwise, for picking and choosing among the remarkable collection of 'Thou shalt nots' which were explicitly fastened on all departments and agencies of the Federal Government by the Constitution and its Amendments."
Google will never include PGP support in their official web client, because it kills their advertising model (which requires them to have access to the plain text of your emails).
However, as long as Gmail supports IMAP, it's pretty easy to set up PGP encryption/signing with Thunderbird or Mutt or the like. Thunderbird has a plugin/extension for integrating support, and Mutt provides it natively.
If you already use Thunderbird or Mutt, it'll take maybe 15 minutes to set up, and then you don't have to think twice about it.
That includes unencrypted email and any unencrypted data stored on a server not under your control.
Even your encrypted communication might be compromised at some point in the future, given the odds that it has probably been logged by someone as it travelled from hop to hop through the Internet.
Once encrypted data leaves your control, anyone intercepting and logging it can attempt to crack that data at their leisure, virtually indefinitely.
Laws may stop some law-abiding entities from trying. But I wouldn't count on it.